The attacker must know the password for the loginuser account. The confd client is not available to the loginuser account. However, it is possible to list a directory containing a sub-directories whose names are valid session identifiers (SID) and can be used to make requests on behalf of other accounts, such as admin. This allows for escalation to root privilege.

Sophos UTM (C) Copyright 2000-2016 Sophos Limited and others. All rights reserved. Sophos is a registered trademark of Sophos Limited and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.

For more copyright information look at /doc/astaro-license.txt or http://www.astaro.com/doc/astaro-license.txt

NOTE: If not explicitly approved by Sophos support, any modifications done by root will void your support.

The vendor has addressed this vulnerability in version 9.503. Release notes and download instructions can be found at: https://community.sophos.com/products/unified-threat-management/b/utm-blog/posts/utm-up2date-9-503-released

5. Credit

This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc.

6. Disclosure Timeline

2017.07.21 - KoreLogic submits vulnerability details to Sophos. 2017.07.21 - Sophos acknowledges receipt. 2017.09.01 - 30 business days have elapsed since the vulnerability was reported to Sophos. 2017.09.15 - KoreLogic requests an update on the status of this and other vulnerabilities reported to Sophos. 2017.09.18 - Sophos informs KoreLogic that this issue has been remediated in release 9.503 for UTM. 2017.10.24 - KoreLogic public disclosure.

7. Proof of Concept

See 3. Technical Description.

The contents of this advisory are copyright(c) 2017KoreLogic, Inc. and are licensed under a Creative CommonsAttribution Share-Alike 4.0 (United States) License:http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with aproven track record of providing security services to entitiesranging from Fortune 500 to small and mid-sized companies. Weare a highly skilled team of senior security consultants doingby-hand security assessments for the most important networks inthe U.S. and around the world. We are also developers of varioustools and resources aimed at helping the security community.https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt